Modify "Ensure 'Allow log on locally' to capture Administrators, Users"

I’ve been reviewing the check fixlet “(L1) Ensure ‘Allow log on locally’ is set to ‘Administrators, Users’” from CIS Checklist for Windows 10

not exists 1 whose (exists (concatenation ", " of (it as string) of ((number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0) of concatenation ", " of (it as string) of (exist matches (regex "S-1-5-32-(544|545)") of it) of component strings of sids of it) of accounts with privilege "SeInteractiveLogonRight") whose (number of substrings separated by ", " whose (it is not "") of it > 0 and number of substrings separated by ", " whose (it is not "") whose (it as boolean is False) of it = 0))

I noticed that these SID values are the ones indicated in below part of the script

image829×432 39.2 KB

not exists 1 whose (exists (concatenation ", " of (it as string) of ((number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0) of concatenation ", " of (it as string) of (exist matches (regex “S-1-5-32-(544|545)”) of it) of component strings of sids of it) of accounts with privilege “SeInteractiveLogonRight”) whose (number of substrings separated by ", " whose (it is not “”) of it > 0 and number of substrings separated by ", " whose (it is not “”) whose (it as boolean is False) of it = 0))

I wanted to add another SID value which points to a specific group I currently have. I verified that the SID value is “S-1-5-21-1670090376-3868680533-3606904405-512”

How can I add it to the existing relevance?

Basically I want to have a check similar to the one below:
“(L1) Ensure ‘Allow log on locally’ is set to ‘Administrators, Users, BigFixAdmin-Group’”

You would need to create a custom site for the checks you want to edit, then copy the checks to that site, then you will be able to deit the relevance and add your changes.
All computers that you want to run that check on should be subscribed to that site.
This is standard use of SCM checks as fixlets/checks etc in the External Sites cannot be edited.
Plese see the following URL for more details :
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/SCM%20Checklist%20Deployment%20Best%20Practices

Dave L.

Since this particular check does not have an input field to override the expected value, I think the question is “what value should I set for the regular expression”? As DaveL says you’d need a Custom Checklist site in order to modify the fixlet. In the Relevance, what I expect would work is to replace the Regular Expression in both places with

regex "(S-1-5-32-(544|545))|(S-1-5-21-1670090376-3868680533-3606904405-512)"

If you want the Remediation, in the ActionScript you’d replace the SeInteractiveLogonRight with either

SeInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-21-1670090376-3868680533-3606904405-512

or

SeInteractiveLogonRight = Administrators,Users,MyDomainName\BigFixAdmin-Group

(or a mix of group names and *S values for SIDs)

Thanks, Dave. We created a custom check using the “Create Custom Checklist” wizard before attempting to modify the relevance.

Thanks, @JasonWalker. This is exactly what we need.